Republic of Korea: Issued revised Guidelines on the Use of Health data including clarifications on pseudonymisation requirements

On 29 December 2022, the Personal Information Protection Commission (PIPC) of Korea published a revised version of its Guidelines on the Use of Health Data. The new guidelines address the pseudonymisation of personal data and its use for statistical, scientific and public interest purposes by public institutions and private corporations. Pseudonymisation is defined as the deletion of part of the information or its replacement to prevent the identification of the individual to whom the data is related. In particular, the special role of health data in pseudonymisation is emphasised, for which standards, procedures, and security measures to be adopted during the processing process to guarantee the privacy of the persons concerned are then established. The requirements for the pseudonymisation of data are established in the Personal Information Protection Act (PIPA), and the guidelines clarify that the requirements apply to health data as well. The new guidelines outline how the data processor should handle pseudonymous information, the transfer of pseudonymous data to third parties, transparency towards the data owner, and ethical measures to be taken. Furthermore, the Guidelines stipulate that pseudonymous information must be deleted as soon as its use has ended and that it may under no circumstances be used to identify an individual. The Guidelines list the penalties under PIPA that apply to anyone violating the pseudonymisation requirements. In particular, entities may face civil penalties ranging from a minimum of KRW 1'000 up to KRW 50 million and imprisonment for up to two years.